She adds (111222333, 2018-01-01 12:00:00Z) to her database of expired tokens

The token will be deleted after 2018-01-01 12:00:00Z preventing the database to grow indefinitely

Alice is able to verify her own signature (s, R, Z, M) by repeating steps made by Bill though she is not able to track who made a payment to Bill. It's true because even if Alice has recorded the s' component in her database during signature phase, she will not be able to match it because during repayment phase she will receive (s, R) instead of (s', R') and so by subtracting recorded s' from s she will get:

P.S.
The scheme provided in the following paper seem like has a flaw in it (during signature phase, a signer may embed requesters identity data into h(z) which may be recovered during verification phase and so requester's identity may be disclosed by the verifier, if signer and verifier share common database):

@Lu4 no, Chaums one is a secure blind signature scheme but not a partially blind scheme (and if you want to make it partially blind I am only aware of approaches that are insecure).
–
DrLecterMay 8 '14 at 9:27

1 Answer
1

Designing such signature schemes from scratch without having strong experience is very likely to fail and very dangerous (see the tons of bad papers out there being accepted to "dubious" conferences and journals).

I just took a quick look and you have the following problem (observe that you can freely choose $s$ and $R$):

Set $R:=Q$, choose any $M$ and $Z$ of your choice, then set $s:= h(Z)+h(M) \bmod n$ and the verification relation holds. Thus, you can forge a signature for arbitrary $M$ and $Z$ of your choice.

Ok, now you could say: "Lets introduce a check if $Q=R$ and whether $s$ is not of the form $h(Z)+h(M) \bmod n$ to avoid this problem".

But you can arbitrarily "blind" $s$ and $R$ set $R=Q-aP$ for an arbitrary $a\in \mathbb{Z_n}$ and then set $s:= h(Z)+h(M)+a \bmod n$. Note that your verification relation requires that:

$$sP - Q + R = zP + mP$$

Now lets plug in

$$(h(Z)+h(M)+a)P - Q + (Q-aP) = h(Z)P+h(M)P=mP+zP$$

which is a valid forgery and also totally breaks your scheme. Now you may introduce an additional check that $s$ and $R$ are not blinded that way. But I am quite sure (since I just took a quick look) that you will find more issues (this is still a key only attack and to achieve unforgeability we speak of security against chosen message attacks).

I just want to give you the advice that designing signature schemes (irrespecitve whether they are standard signature schemes, or blind or partially blind or what else) is an art and in your situation (for a project) I think its the best advice to simply rely on established schemes (see at the bottom of the answer). If you still want to desgin signature schemes study the required security properties at first and then think about how you could meet them (and you should also provide a proof that these properties hold).

The approach in your linked paper

The authors of the paper you have linked to seem to have no idea how the accepted security model for blind signatures and in particular the blindness property is defined.

Basically blindness requires that a malicious signer who is allowed to specify two messages $(M_0,M_1)$ and executing the signing process for both messages with a honest receiver is not able to decide in which order the signing processes have been executed.

Now, in your linked paper, the signer can trivially do so for the two messages: Namely, if the signer receives a candidate "blinded message" $m_bQ$ (where $b$ is either 0 or 1, he does not know, and $m_b=H(M_b)$), then the signer simply checks if $H(M_0)Q$ equals the received $m_bQ$. If this is the case he signs $M_0$ in this process and $M_1$ otherwise. Consequently, the scheme is not providing the blindness property.

Actually, they seem to more likely want to build a partially blind signature scheme, but the scheme will also not satisfy partial blindness (for the same reason as above).

I did not even look at the unforgeability (non-forgeability as they call it) of the scheme as the above is sufficient to throw away the paper. But as their models seem very handcrafted and the "proofs" are not convincing, I guess it can be broken w.r.t. this property as well.

Existing partially blind signature schemes

A well accepted and quite standard approach to partially blind signatures is the one in this paper by Abe and Okamoto (and this can also be implemented on elliptic curves). This one (more of theoretical interest) and this one are also provably secure (in the standard model in contrast to the first) but rely on pairing friendly elliptic curves. So maybe the easiest one to implement is the first one.

Nice answer, no luck with my project, anyway now I understand how this ECC mantra works and more than that now I have the literature describing the process. However I may still wanna try fixing the forgery pattern you've found, I think it will take some time for me to work-through the papers you've proposed. Unfortunately as you see there is huge amount of low level literature on the subject flying around on the internet, and it takes time to distinguish good one from bad one, and if I'd were to use the proposed scheme without asking it wouldn't work in the end, so thank you for your time.
–
Lu4May 7 '14 at 13:36

I would appreciate if you add more references later
–
Lu4May 7 '14 at 13:40

@Lu4 I added two more references. There are not so many out there that are proven to be secure. I'd go with the one due to Abe and Okamote as it should not be too hard to implement for your project.
–
DrLecterMay 7 '14 at 14:17

Where you have h(Z)+h(Z), one Z should be M.
–
Brock HansenMay 7 '14 at 19:43

1

@Lu4 If you work in elliptic curves you can directly work in the prime order n group. If you work in $Z_p^*$ there are various ways to generate p and q. Surely can q divide p−1 (p-1 is not prime, p is). Just ask a new question. But I am quite sure someone else has already asked this before here.
–
DrLecterMay 8 '14 at 10:01